[turbofan] Fix lowering of JSGetSuperConstructor.

This fixes the existing lowering of {JSGetSuperConstructor} nodes to
unconditional throws. The above operator is marked as {kNoWrite} but
runtime calls are not marked as such. Any deoptimizing operation after
the throw would not be able to find a valid {Checkpoint}. We remove the
lowering case in question.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-6248
BUG=v8:6248

Change-Id: I22c922947336254502f698b02f944cf35dd8688a
Reviewed-on: https://chromium-review.googlesource.com/476570Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44632}

src/compiler/js-native-context-specialization.cc

@@ -154,11 +154,6 @@ Reduction JSNativeContextSpecialization::ReduceJSGetSuperConstructor(
     if (function_prototype->IsConstructor()) {
       ReplaceWithValue(node, value);
       return Replace(value);
-    } else {
-      node->InsertInput(graph()->zone(), 0, value);
-      NodeProperties::ChangeOp(
-          node, javascript()->CallRuntime(Runtime::kThrowNotSuperConstructor));
-      return Changed(node);
     }
   }
 

test/mjsunit/regress/regress-6248.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var sentinelObject = {};
+var evaluatedArg = false;
+class C extends Object {
+  constructor() {
+    try {
+      super(evaluatedArg = true);
+    } catch (e) {
+      assertInstanceof(e, TypeError);
+      return sentinelObject;
+    }
+  }
+}
+Object.setPrototypeOf(C, parseInt);
+assertSame(sentinelObject, new C());
+assertSame(sentinelObject, new C());
+%OptimizeFunctionOnNextCall(C)
+assertSame(sentinelObject, new C());
+assertFalse(evaluatedArg);